CVE-2024-41091
Vulnerability from cvelistv5
Published
2024-07-29 06:18
Modified
2024-12-19 09:11
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tun: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP. This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does. CVE: CVE-2024-41091
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a
Impacted products
Vendor Product Version
Linux Linux Version: 4.20
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:46:52.398Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41091",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:24:56.109252Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:06.194Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/tun.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "32b0aaba5dbc85816898167d9b5d45a22eae82e9",
              "status": "affected",
              "version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
              "versionType": "git"
            },
            {
              "lessThan": "6100e0237204890269e3f934acfc50d35fd6f319",
              "status": "affected",
              "version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
              "versionType": "git"
            },
            {
              "lessThan": "589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2",
              "status": "affected",
              "version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
              "versionType": "git"
            },
            {
              "lessThan": "ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146",
              "status": "affected",
              "version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
              "versionType": "git"
            },
            {
              "lessThan": "d5ad89b7d01ed4e66fd04734fc63d6e78536692a",
              "status": "affected",
              "version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
              "versionType": "git"
            },
            {
              "lessThan": "a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb",
              "status": "affected",
              "version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
              "versionType": "git"
            },
            {
              "lessThan": "8418f55302fa1d2eeb73e16e345167e545c598a5",
              "status": "affected",
              "version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
              "versionType": "git"
            },
            {
              "lessThan": "049584807f1d797fc3078b68035450a9769eb5c3",
              "status": "affected",
              "version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/tun.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.281",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.223",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\ndownstack. Even before the skb is transmitted, the\ntun_xdp_one--\u003eeth_type_trans() may access the Ethernet header although it\ncan be less than ETH_HLEN. Once transmitted, this could either cause\nout-of-bound access beyond the actual length, or confuse the underlayer\nwith incorrect or inconsistent header length in the skb metadata.\n\nIn the alternative path, tun_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted for\nIFF_TAP.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tun_get_user() does.\n\nCVE: CVE-2024-41091"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:11:44.905Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319"
        },
        {
          "url": "https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3"
        }
      ],
      "title": "tun: add missing verification for short frame",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-41091",
    "datePublished": "2024-07-29T06:18:12.019Z",
    "dateReserved": "2024-07-12T12:17:45.636Z",
    "dateUpdated": "2024-12-19T09:11:44.905Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-41091\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-07-29T07:15:07.553\",\"lastModified\":\"2024-11-21T09:32:13.587\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntun: add missing verification for short frame\\n\\nThe cited commit missed to check against the validity of the frame length\\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\\ndownstack. Even before the skb is transmitted, the\\ntun_xdp_one--\u003eeth_type_trans() may access the Ethernet header although it\\ncan be less than ETH_HLEN. Once transmitted, this could either cause\\nout-of-bound access beyond the actual length, or confuse the underlayer\\nwith incorrect or inconsistent header length in the skb metadata.\\n\\nIn the alternative path, tun_get_user() already prohibits short frame which\\nhas the length less than Ethernet header size from being transmitted for\\nIFF_TAP.\\n\\nThis is to drop any frame shorter than the Ethernet header size just like\\nhow tun_get_user() does.\\n\\nCVE: CVE-2024-41091\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: tun: agrega verificaci\u00f3n faltante para marcos cortos La confirmaci\u00f3n citada no pudo verificar la validez de la longitud del marco en la ruta tun_xdp_one(), lo que podr\u00eda provocar que un skb da\u00f1ado se env\u00ede hacia abajo. Incluso antes de que se transmita el skb, tun_xdp_one--\u0026gt;eth_type_trans() puede acceder al encabezado de Ethernet aunque puede ser menor que ETH_HLEN. Una vez transmitido, esto podr\u00eda provocar un acceso fuera de los l\u00edmites m\u00e1s all\u00e1 de la longitud real o confundir la capa subyacente con una longitud de encabezado incorrecta o inconsistente en los metadatos de skb. En la ruta alternativa, tun_get_user() ya proh\u00edbe la transmisi\u00f3n de tramas cortas que tengan una longitud menor que el tama\u00f1o del encabezado Ethernet para IFF_TAP. Esto es para eliminar cualquier trama m\u00e1s corta que el tama\u00f1o del encabezado de Ethernet tal como lo hace tun_get_user(). CVE: CVE-2024-41091\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.